Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38886

SIGSEGV in TDBXML::DeleteDB on DELETE

    XMLWordPrintable

Details

    • Can result in hang or crash

    Description

      INSTALL SONAME 'ha_connect';
      		 
      CREATE TABLE t (i INT) ENGINE=Connect table_type=XML option_list='xmlsup=libxml2';
      		 
      INSERT INTO t VALUES ();
      		 
      DELETE FROM t;

      Leads to:

      CS 12.3.1 21a0714a118614982d20bfa504763d7247800091 (Debug, Clang 21.1.3-20250923) Build 17/02/2026

      		 
      Core was generated by `/test/MD170226-mariadb-12.3.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00007c4b96e09ee5 in TDBXML::DeleteDB (this=0x7c4a6fe002a0, g=0x7c4a74048850, irc=3) at /test/12.3_dbg/storage/connect/tabxml.cpp:1338
      		 
       
      		 
      [Current thread is 1 (LWP 2205730)]
      		 
      (gdb) bt
      		 
      #0  0x00007c4b96e09ee5 in TDBXML::DeleteDB (this=0x7c4a6fe002a0, g=0x7c4a74048850, irc=3) at /test/12.3_dbg/storage/connect/tabxml.cpp:1338
      		 
      #1  0x00007c4b96d30cd4 in CntDeleteRow (g=0x7c4a74048850, tdbp=0x7c4a6fe002a0, all=true) at /test/12.3_dbg/storage/connect/connect.cc:527
      		 
      #2  0x00007c4b96d19c48 in ha_connect::delete_all_rows (this=0x7c4a740454f8)at /test/12.3_dbg/storage/connect/ha_connect.cc:4483
      		 
      #3  0x0000573c7351f121 in handler::ha_delete_all_rows (this=0x7c4a740454f8)at /test/12.3_dbg/sql/handler.cc:5820
      		 
      #4  0x0000573c739228b2 in Sql_cmd_delete::delete_from_single_table (this=0x7c4a7401b098, thd=0x7c4a74000d58)at /test/12.3_dbg/sql/sql_delete.cc:534
      		 
      #5  0x0000573c7392844d in Sql_cmd_delete::execute_inner (this=0x7c4a7401b098, thd=0x7c4a74000d58) at /test/12.3_dbg/sql/sql_delete.cc:2170
      		 
      #6  0x0000573c73a4e7f9 in Sql_cmd_dml::execute (this=0x7c4a7401b098, thd=0x7c4a74000d58) at /test/12.3_dbg/sql/sql_select.cc:34848
      		 
      #7  0x0000573c7399c28b in mysql_execute_command (thd=0x7c4a74000d58, is_called_from_prepared_stmt=false) at /test/12.3_dbg/sql/sql_parse.cc:4442
      		 
      #8  0x0000573c73993678 in mysql_parse (thd=0x7c4a74000d58, rawbuf=0x7c4a7401a120 "DELETE FROM t", length=13, parser_state=0x7c4bd4dfd9f0) at /test/12.3_dbg/sql/sql_parse.cc:7940
      		 
      #9  0x0000573c73990e2e in dispatch_command (command=COM_QUERY, thd=0x7c4a74000d58, packet=0x7c4a7400b4c9 "DELETE FROM t", packet_length=13, blocking=true) at /test/12.3_dbg/sql/sql_parse.cc:1896
      		 
      #10 0x0000573c739940fa in do_command (thd=0x7c4a74000d58, blocking=true)at /test/12.3_dbg/sql/sql_parse.cc:1432
      		 
      #11 0x0000573c73b9399e in do_handle_one_connection (connect=0x573c778f0538, put_in_cache=true) at /test/12.3_dbg/sql/sql_connect.cc:1503
      		 
      #12 0x0000573c73b93781 in handle_one_connection (arg=0x573c778d40f8)at /test/12.3_dbg/sql/sql_connect.cc:1415
      		 
      #13 0x00007c4be069ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #14 0x00007c4be0729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Note; scroll right to see significant stack differences between versions/build types:

      Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  10.6   opt  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|mysql_delete|mysql_execute_command
      		 
      CS  10.11  dbg  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  10.11  opt  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|mysql_delete|mysql_execute_command
      		 
      CS  11.4   dbg  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  11.4   opt  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|Sql_cmd_delete::delete_from_single_table|Sql_cmd_delete::execute_inner
      		 
      CS  11.8   dbg  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  11.8   opt  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|handler::ha_delete_all_rows|Sql_cmd_delete::delete_from_single_table
      		 
      CS  12.2   dbg  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  12.2   opt  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|handler::ha_delete_all_rows|Sql_cmd_delete::delete_from_single_table
      		 
      CS  12.3   dbg  170226  21a0714a118614982d20bfa504763d7247800091  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  12.3   opt  170226  21a0714a118614982d20bfa504763d7247800091  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|handler::ha_delete_all_rows|Sql_cmd_delete::delete_from_single_table
      		 
      ES  10.6   dbg  230126  0fe345fff3a0463224ca714831303d40fb83648b  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      ES  10.6   opt  230126  0fe345fff3a0463224ca714831303d40fb83648b  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|mysql_delete|mysql_execute_command
      		 
      ES  11.4   dbg  230126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      ES  11.4   opt  230126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|Sql_cmd_delete::delete_from_single_table|Sql_cmd_delete::execute_inner
      		 
      ES  11.8   dbg  230126  405ee76b60c4ab82155f339136ed20d3b7363717  SIGSEGV|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      ES  11.8   opt  230126  405ee76b60c4ab82155f339136ed20d3b7363717  SIGSEGV|TDBXML::DeleteDB|ha_connect::delete_all_rows|handler::ha_delete_all_rows|Sql_cmd_delete::delete_from_single_table

      And UBSAN sees a null-pointer-use issue:

      CS 12.3.1 21a0714a118614982d20bfa504763d7247800091 (Debug, UBASAN, Clang 21.1.3-20250923) Build 17/02/2026

      		 
      /test/12.3_dbg_san/storage/connect/tabxml.cpp:1338:29: runtime error: member call on null pointer of type 'XMLNODELIST'
      		 
          #0 0x701183456412 in TDBXML::DeleteDB(_global*, int) /test/12.3_dbg_san/storage/connect/tabxml.cpp:1338:29
      		 
          #1 0x70118312b6a8 in CntDeleteRow(_global*, TDB*, bool) /test/12.3_dbg_san/storage/connect/connect.cc
      		 
          #2 0x7011830fcd7f in ha_connect::delete_all_rows() /test/12.3_dbg_san/storage/connect/ha_connect.cc:4483:9
      		 
          #3 0x64685149830f in handler::ha_delete_all_rows() /test/12.3_dbg_san/sql/handler.cc:5820:12
      		 
          #4 0x64685228dec9 in Sql_cmd_delete::delete_from_single_table(THD*) /test/12.3_dbg_san/sql/sql_delete.cc:534:9
      		 
          #5 0x6468522a90bf in Sql_cmd_delete::execute_inner(THD*) /test/12.3_dbg_san/sql/sql_delete.cc:2170:28
      		 
          #6 0x646852762540 in Sql_cmd_dml::execute(THD*) /test/12.3_dbg_san/sql/sql_select.cc:34848:9
      		 
          #7 0x64685244ea42 in mysql_execute_command(THD*, bool) /test/12.3_dbg_san/sql/sql_parse.cc:4442:27
      		 
          #8 0x646852431678 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.3_dbg_san/sql/sql_parse.cc:7940:18
      		 
          #9 0x64685242937e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.3_dbg_san/sql/sql_parse.cc:1896:7
      		 
          #10 0x646852433aba in do_command(THD*, bool) /test/12.3_dbg_san/sql/sql_parse.cc:1432:17
      		 
          #11 0x646852c6021c in do_handle_one_connection(CONNECT*, bool) /test/12.3_dbg_san/sql/sql_connect.cc:1503:11
      		 
          #12 0x646852c5fd25 in handle_one_connection /test/12.3_dbg_san/sql/sql_connect.cc:1415:5
      		 
          #13 0x64685132982a in asan_thread_start(void*) crtstuff.c
      		 
          #14 0x74125989ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #15 0x741259929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/12.3_dbg_san/storage/connect/tabxml.cpp:1338:29

      Setup:

      Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|mysql_delete
      		 
      CS  10.6   opt  230126  cd02709a315c9f08965d6b8fb7e75baaae17a4f4  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|mysql_delete
      		 
      CS  10.11  dbg  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|mysql_delete
      		 
      CS  10.11  opt  230126  b061b5ab1f2cd2a6993e53dc24a865304ced14cd  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|mysql_delete
      		 
      CS  11.4   dbg  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|Sql_cmd_delete::delete_from_single_table
      		 
      CS  11.4   opt  260126  b6d0e23d76fe5936b6a29379ab494852e4d493b1  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|Sql_cmd_delete::delete_from_single_table
      		 
      CS  11.8   dbg  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  11.8   opt  230126  01ff5ae6b677bead4c41d91bf5afb25c593a1d02  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  12.2   dbg  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  12.2   opt  230126  6ca70dd64ce56da40fad3bcd0641493210dd0a4c  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  12.3   dbg  170226  21a0714a118614982d20bfa504763d7247800091  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      CS  12.3   opt  170226  21a0714a118614982d20bfa504763d7247800091  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      ES  10.6   dbg  260126  0fe345fff3a0463224ca714831303d40fb83648b  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|mysql_delete
      		 
      ES  10.6   opt  230126  0fe345fff3a0463224ca714831303d40fb83648b  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|mysql_delete
      		 
      ES  11.4   dbg  260126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|Sql_cmd_delete::delete_from_single_table
      		 
      ES  11.4   opt  260126  34f616d5fd2c649d0c79acb4e2423c90b8f10436  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|Sql_cmd_delete::delete_from_single_table
      		 
      ES  11.8   dbg  230126  405ee76b60c4ab82155f339136ed20d3b7363717  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows
      		 
      ES  11.8   opt  230126  405ee76b60c4ab82155f339136ed20d3b7363717  UBSAN|member call on null pointer of type 'XMLNODELIST'|storage/connect/tabxml.cpp|TDBXML::DeleteDB|CntDeleteRow|ha_connect::delete_all_rows|handler::ha_delete_all_rows

      Testcase is CLI and MTR compatible.

      Attachments

        Activity

          People

            danblack Daniel Black
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.